Closed Bug 834001 Opened 11 years ago Closed 9 years ago

Add new GeoTrust DSA root

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: rick_andrews, Assigned: kathleen.a.wilson)

References

Details

Attachments

(1 file, 1 obsolete file)

Update of CAInformationTemplate document
35.22 KB, application/octet-stream
Details
Attached file CAInformationTemplate_GeoTrustNew.docx (obsolete) — 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130116073211

Steps to reproduce:

I would like to add this new GeoTrust root to Mozilla's trust list:
GeoTrust Primary Certification Authority - G4 (SHA256WithDSA)

And set the Websites (SSL/TLS), Email (S/MIME), Code Signing and EV trust bits
Added information about external subordinate CA customers.
Attachment #705576 - Attachment is obsolete: true
I apologize for the delay in my response. My work on root inclusion requests was postponed for a while.

I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Hi Kathleen,

Please let us know the next steps.

Regards,
Rashmi Tabada
(In reply to Rashmi Tabada from comment #3)
> Please let us know the next steps.

1) Provide *public-facing* auditor's statements regarding Symantec's compliance to the Baseline Requirements.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"6. We require that all CAs whose certificates are distributed with our software products:  ...
- provide public attestation of their conformance to the stated verification requirements"

2) Respond to BR-Compliance Bugs
Bug #1017544 - GeoTrust: Invalid encoding in certificates
Bug #1017550 - VeriSign: Invalid encoding in certificates
Bug #1037906 - Equifax: Still valid 1024 certificates

3) Provide a concrete plan for *removing* old Symantec roots. There are too many Symantec roots in Mozilla's CA program.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
search for "(owned by Symantec)"

4) Prioritize Symantec's inclusion requests -- I only have the bandwidth to work on one of these at a time, along with all of my other work. 

Bug #833974 - VeriSign - EV for included ECC root
Bug #833986 - New Symantec branded roots
Bug #833996 - Thawte - EV, DSA
Bug #833998 - Thawte - EV for included ECC root
Bug #834001 - GeoTrust - EV, DSA
Bug #834004 - GeoTrust - EV for included ECC root
(In reply to Kathleen Wilson from comment #4)

4) Prioritize Symantec's
In priority order for current requests regarding adding/enabling roots....
1. Bug #833986 - New Symantec branded roots
2. Bug #833974 - VeriSign - EV for included ECC root
3. Bug #833998 - Thawte - EV for included ECC root
4. Bug #834004 - GeoTrust - EV for included ECC root
5. Bug #833996 - Thawte - EV, DSA 
6. Bug #834001 - GeoTrust - EV, DSA
We are remove support for DSA/DSS certificates completely from Gecko and mozilla::pkix. Whether or not this certificate should be added should be contingent on the results of bug 1073867 and bug 1107787.
See Also: → 1073867, 1107787
Mozilla does not plan to add DSA support to Mozilla's CA Certificate Policy, so we will not add DSA root certs to NSS.
https://groups.google.com/d/msg/mozilla.dev.security.policy/JFmDFlHILOY/KHJzcJezpnQJ
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: